What You Need to Know About the Conditions and Maintenance of Certification

Now that the dust has settled ever so slightly on the Office of the National Coordinator for Health Information Technology’s (ONC) Cures Act Final Rule, we wanted to dive a little deeper into the Conditions and Maintenance of Certification provisions.

What exactly are the Conditions and Maintenance of Certification?

For background, Section 4002 of the 21st Century Cures Act requires the Department of Health and Human Services (HHS) to establish Conditions and Maintenance of Certification requirements for the ONC Health IT Certification Program. These express initial, as well as ongoing, requirements for health IT developers and their certified Health IT Module(s).

The 21st Century Cures Act established seven Conditions of Certification, and most have an accompanying Maintenance of Certification Requirement:

I’ll briefly review each of these in this post, but those who want more detail should check out the Final Rule and read more about each one, including responses to the comments that we received.

Information Blocking

The Information Blocking requirement prohibits any health IT developer participating in the ONC Health IT Certification Program from taking any action that constitutes information blocking as defined by the law.

Assurances

The Assurances condition requires a health IT developer to report that it does not inhibit the appropriate exchange, access, and use of electronic health information, or EHI. In addition to certain records retention requirements, to maintain certification under this condition, health IT developers must provide their customers with technology certified to the EHI export certification criterion if they are a developer of a certified product that stores EHI.

Communications

The Communications requirement bars health IT developers from prohibiting or restricting communications about certified Health IT Modules related to the following subjects:

The usability of its health IT;

The interoperability of its health IT;

The security of the health IT;

Relevant information regarding user’s experiences when using its health IT;

The business practices of developers of health IT related to exchanging EHI; or

The manner in which a user of the health IT has used such technology.

And to comply with the Maintenance of Certification, health IT developers who currently prohibit or restrict these practices must notify their customers annually – starting in 2020 – that any communication or contract/agreement provision that violates the Communication Condition of Certification will not be enforced by the health IT developer. They must also notify all customers annually up to and until the health IT developer amends the contract or agreement to remove or void any contractual provisions that violate the Condition of Certification.

Application Programming Interfaces (APIs)

The API condition of certification requirement was established to address the circumstances related to the use of certified API technology in the healthcare system, including certified API developer business practices. The API conditions of certification specifically address ongoing requirements that must be met by certified API developers and their certified API technology related to transparency, fees, and openness and pro-competitive behaviors.

The transparency condition clarifies the publication requirements on certified API developers for their business and technical documentation necessary to interact with their certified API technology. The fees condition sets criteria for allowable fees, boundaries for the fees certified API developers would be permitted to charge for the use of the certified API technology, and to whom those fees could be charged. Finally, the openness and pro-competitive condition sets business requirements for certified API developers that promote an open and competitive marketplace.

Real World Testing

The Real World Testing requirement means that a health IT developer with particular certified Health IT Module(s) must successfully test the real-world use of the technology for interoperability in the type of setting where the technology would be marketed. The Maintenance of Certification requires a developer to annually submit a real world testing plan to the ONC-Authorized Certification Bodies (ONC-ACB) in time for the plan to be posted on the Certified Health IT Product List (CHPL) no later than December 15. They must also annually submit real world testing results to the ONC-ACB to be posted on the CHPL no later than March 15.

Attestations

The Attestation requirement directs a health IT developer to attest, as applicable, that they comply with the Conditions and Maintenance of Certification requirements. Health IT developers must submit their attestations every six months and a 30-day window was established for submissions. The first attestation window will open on April 1, 2021.

(Future) Electronic Health Record (EHR) Reporting Criteria Submission

The 21st Century Cures Act requires health IT developers, as part of the Condition and Maintenance of Certification requirements under the ONC Health IT Certification Program, to submit reporting criteria on certified health IT. The EHR Reporting Program is still under development, and ONC intends to propose and implement the associated Condition and Maintenance of Certification requirements for health IT developers in future rulemaking.

I would encourage everyone to visit the ONC Cures Act Final Rule website for a wealth of resources on the Final Rule, including previously recorded webinars. That’s where you will find a webinar specific to the Conditions and Maintenance of Certification, where I go into a little more detail on each of the requirements. Finally, ONC is hosting a question and answer session on the Conditions and Maintenance of Certification on April 22, 2020. Register for this webinar and see the schedule of upcoming topics.